For information systems of entities such as local governments, administrative agents, and private-sector institutions, studies have been in progress on inquiry and provision of users' attribute information among the entities for the purpose of improving the users' convenience and work efficiency. Attribute information of the user to be inquired and provided in the above case includes sensitive information which is personal information (various kinds of information such as name, address, tax payment and medical history) of the users.
In this regard, ID-WSF (Identify Web Service Framework) is provided as typical specifications for cooperative handling of such sensitive information among entities by implementing inquiry and provision of attribute information based on the agreement of the user. In ID-WSF, attribute information is inquired and provided among entities such as: a WSP (Web Service Provider) that is an information providing entity managing and providing attribute information of the user; a WSC (Web Service Consumer) that is an information inquiring entity providing services to the user by using the inquired attribute information of the user; and a DS (Discovery Service) that is a coordination apparatus providing a solution about the access destination, that is, determining which the WSP to inquire to when WSC inquires attribute information of a specific user.
In ID-WSF, the DS needs to manage associations between users and WSPs in order to give a response to a WSC. Therefore, there is a problem that a leakage of personal information on the user may occur if information associating the users and the WSPs with each other is leaked by an attacker outside the DS or by a malicious person inside the DS. For example, when a WSP associated with a user is a specialized medical institution, it may be presumed that the user has a disease specialized by the medical institution, and thereby the user's disease case may be leaked to the outside.
In view of the foregoing problems, for example, there is a proposed method in which all DSs prepare and share information of lists of users to whom each DS may provide solution, and even when a WSC inquires to any DS, the DS may send a response indicating another DS capable of providing solution about a WSP (see Patent Document 1). That is, upon receiving a request from a WSC, a DS determines whether the DS may provide a solution about the WSP. If providing the solution is not possible, the DS searches the shared information to find information of another DS that may provide a solution from, and returns the information of the found DS. The WSC, which has acquired the information of the DS as an inquiry result, inquires to the acquired DS and acquires information on the WSP.
Thus, even when WSC makes an inquiry to any DS, the WSC can obtain information on WSP easily. Also, since multiple DS holds the relations between the users and WSPs in a distributed manner, the leakage of a large amount of personal information at one time may be prevented.